Topics

Teleport 2.3 Released

Sep 19, 2017
by
Ev Kontsevoy

Today we are happy to unwrap version 2.3
of Teleport. The focus of this release has been on making
Teleport more pleasant to configure and use.

Teleport was initially developed to be an internal library
that Telekube used to connect to distributed Kubernetes clusters. However, its rapid adoption as a stand alone tool (over 5,200 stars on Github) has warranted more focus on improving its user experience.

Before we dive into the 2.3 release notes, let us introduce Teleport to the new
readers of this blog.

What is Teleport?

Teleport is a modern SSH server designed for distributed teams accessing shared, distributed
infrastructure. It allows teams or organizations to manage trust across their users and compute infrastructure with the following features:

The Enterprise edition includes SSH RBAC with SSO via SAML or OpenID Connect.

Teleport is fully compatible with OpenSSH clients and servers and can be used
just as a bastion, issuing SSH certificates and providing connectivity to
legacy clusters located behind firewalls.

What’s new in 2.3?

As usual, the full list of changes can be found on Github
but here is the list of the most significant changes:

Web UI Improvements.

Enhanced OpenSSH compatibility.

Simplified configuration of trusted clusters.

Dynamic (programmatic) configuration of clusters.

The Enterprise Teleport users also receive:

Vastly improved RBAC with more granular access rules.

Authentication against multiple SAML/OIDC providers.

Web UI Improvements

Previous versions of Teleport had the unfortunate limitation of not letting the Web UI
users to connect to OpenSSH servers. The new UI now includes a simple edit box which
gives users familiar syntax: just type [email protected] in a “connect” field to connect to
any server within a cluster:

OpenSSH Compatibility

With larger organizations adopting Teleport, we have been receiving
numerous requests to make it easier for users to migrate to Teleport from their
existing OpenSSH-based workflows.

Below are some examples:

SSH CLI

Typing tsh ssh can be tiresome and creating a shell alias isn’t always an
option, especially if you have a lot of scripts that won’t benefit from an
alias. The latest Teleport tsh client can be renamed to ssh (or you can
create a symlink) and its CLI flags become fully compatible with the existing
ssh usage: inside of bash scripts, Ansible scripts, etc.

SSH Agents

At the end of a successful login, tsh login command now sends the SSH
certificate to an active SSH agent. This, again, allows a much easier
usage of ssh (or any other SSH clients) after the login, perhaps by
modifying ~/.ssh/config:

With these changes, the Teleport user experience becomes almost identical to traditional ssh.

We have also received tremendeous amount of interest of
improving the Web client to completely replace PuTTY
for Windows users. Teleport already has a much nicer web-based terminal UI
but additional features like web-based scp and
web-based agent forwarding are also in the works.

Configurable Ciphers

Teleport is based on Google’s SSH implementation and we initially assumed
that their choice of ciphers, key exchange and MAC algorithms should work for everybody. However, we found that different organizations may have their own, different standards.

In order to accommodate this, the crypto can now be restricted to the
pre-defined list of ciphers, KEX and MAC algorithms. See the new
configuration
options in Teleport documentation.

Simplified Trusted Clusters.

The Teleport Trusted Clusters feature allows users of one SSH cluster “A” to
connect to another cluster “B” even when “B” is located behind a firewall
without any open TCP ports.

We have seen this feature used in scenarios like:

Connecting to IoT systems when remote SSH connectivity is needed into “field devices”.

As you can see, different parts of an SSH cluster now have quite granular
access rights and permissions. A Teleport administrator can remove access to the recorded
sessions, configure SSH options on a per-role basis, map roles between
different clusters for infrastructure co-owned by multiple organizations and
much, much more.

Talk to us!

For more information about Teleport, you can take a look at the
documentation or the
overview. It is open sourced, so
feel free to dig in - issues and/or pull requests are welcome. Also, feel free to
reach out via email if you have additional questions: [email protected].